Is it Safe to Store Your Trade Secrets in the Cloud?

Authored by Robert F. McCauley III and Ming-Tao Yang

A CIO's nightmare may be realized if several seemingly-plausible assumptions regarding "cloud" computing and storage turn out to be untrue. These may include the assumption 1) that it is safe to put "everything" my company has in the cloud; 2) that my company's trade secrets will remain protectable "secrets" in the cloud, even after an accidental leak or an intentional hack is stopped; and 3) in the event of leaks or hacks, the cloud service providers are liable for our losses under our cloud-service agreements. Unfortunately, these assumptions may not be correct.

Companies and their staff may choose to store all kinds of information in the cloud:

• Trade secrets and valuable information
• Outsourced storage, e-mail or financial services
• Information accessible by or stored in employees' smart phones. For example, iPhone users have the option of backing up all iPhone files to the cloud.
• Images and information employees post on social network sites, including Facebook, Twitter and LinkedIn

The trouble is, there are things the CIO has no control over when the company's information is in the cloud. For example, such information can be stored essentially anywhere in the world, including locations outside the direct reach of U.S. law. Moreover, the company's data can now be accessed remotely, sometimes by unauthorized subscribers. Finally, back-up, extra, or unsecured copies can exist even after the files are removed, modified or encrypted later. Each of these factors may impact the trade secret status of the information.

Trade secrets: Legal definition

A trade secret is any information (e.g., a formula, pattern, compilation, program, device, method, technique or process) that:

• Is valuable from not being generally known to either the public or those who can profit from disclosure or use; and
• Has been reasonably protected (i.e., subject to efforts that are reasonable under the circumstances to maintain its secrecy)

One of the key issues courts focus on in assessing entitlement to trade secret protection is whether the measures the company implemented to protect its information are reasonable under the circumstances.

Security of the cloud and mobile devices

Cloud providers tout having resources and abilities to secure highly-confidential or sensitive data. But no data stored online is perfectly secure, and intentional hacking and unintentional security breaches have become all too common. Two headlines from the last two years are good reminders:

• June 2011: "Online storage service Dropbox accidentally turned off passwords for four hours, potentially exposing data belonging to its 25 million customers to unauthorized users."
• June 2010: "AT&T has confirmed today that 114,067 iPad 3G owners have had their email information leaked to the Web, with the data being stolen by a group calling themselves Goatse Security."

Given such security vulnerabilities, might a court find that, by placing highly-sensitive and valuable information in the cloud, a company did not take "reasonable" efforts to maintain the secrecy of its information? While the courts have yet to grapple with this question, it deserves careful consideration.

Traditional factors considered by courts

Traditionally, courts have recognized common efforts, such as signing non-disclosure agreements, limiting employee access to a "need to know" basis, and controlling access to facilities, as examples of reasonable efforts. But in view of security risks, it is possible that a court might find that a company that placed its "crown jewels" in the cloud failed to take reasonable efforts to protect its data.

Moreover, the fact that cloud providers may contractually limit their liability to far less than the likely value of such "crown jewels" could further undermine a company's efforts to show that it took reasonable precautions to protect its data. For instance, cloud provider Salesforce.com has limited its liability for a data breach to the lesser of $500,000 or the amount paid by the subscriber in the twelve months preceding the breach. Given the potentially vast differential between the value of trade secrets and limitations on a provider's liability, a court might find that it is simply unreasonable for a subscriber to have placed such valuable information in the cloud.

Accordingly, by placing valuable information in the cloud, a company might risk losing its trade secrets in the event of a security breach. This is especially concerning, because the courts recognize that a trade secret, once lost, is lost forever.

Additional issues posed by social networks

The widespread use and "public" nature of social networks has also impacted what courts deem to be protectable trade secrets. For example, employees' information-exchanging communities on LinkedIn, Facebook or Twitter are outside of their employers' reach, making private information public by sharing it with connections and friends. Once posted, this information is hardly "protected" information.

For instance, in the case of Sasqua Group, Inc. v. Courtney, the plaintiff, a financial advisor business, brought a claim against a former employee for misappropriating its customer information. But the former employee suggested that virtually all personnel in the capital markets industry have contact information on social networks, making the customer information readily accessible. Finding that the information was not protectable, the court observed that "the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information in 2010 is a very different story."

Suggestions

A company should take extra care to protect its trade secrets. Accordingly, we suggest at least the following:

• Do not place "crown jewels" in the cloud. If anything, only place more routine data on the cloud.
• Implement smartphone and social network policies in employment agreements.
• Restrict employee's access and use of information to what is necessary for one's job responsibilities.

In so doing, your company may be able to avoid potential pitfalls in protecting its confidential and sensitive information in this age of proliferating technology and the cloud.

©Forbes. Reprinted by permission. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm's clients.